Blackhat for Hire

Blackhat is finally in theaters to portray a new type of war that’s being waged – cybersecurity wars. Add a few explosions, car chases and an A-list actor and you have a Hollywood movie expecting to portray a fundamentally boring exercise, cyberhacking, in an exciting way. Although, the movie does raise an interesting proposition of paying to hunt cybercriminals, the act of finding and bringing these people to justice holds quite a few impediments.

Hackers are very good about personal security and anonymity. They take the utmost care to cover their tracks whether on a national or international scale. Additionally, they don’t have to give their personal information to anyone unless they team up with someone else so finding hackers is not an easy thing to do. Add to this that most hackers come from jurisdictions that are beyond the reach of US law enforcement so even if they are discovered, not much can be done.

The issue with the movie along with the way that many companies approach the subject is that both entities reduce hacking down to a mathematical equation. Companies look at what the real cost of a potential breach is and then work backwards to provide the CISO with resources on par with such potential breaches. Companies take the loss of data and time in recovery to figure out what level of security is needed for its protection. While not absurd, it’s a bit misleading in that public relations cannot really be accounted for in such equations. The enterprise believes that it’s easier to pay for the aftermath instead of paying upfront for prevention. It’s all about the bottom line. When it costs companies more to pay for security after the fact then upfront costs will be worth it.

As the movie alludes to, there may be a day where the equation allows for companies to pay for prevention by hiring a blackhat (computer criminal) to track down these criminals before any damage is done. These people would be most effective if they are careful to limit collateral damage while also capturing criminals. The rapid spread of security breaches is frightening, but the fear is tempered by the fact that laws are being effectuated and light is being shed on the issue every day. However, what may need to be done is have the public (NSA & CIA) and private sector coordinate to find these criminals. Unfortunately, bringing them to justice is a task that seems may be answered on the Jan 20th State of the Union speech (stay tuned…).